New Data Protection Regulations Approved

Published On:Wednesday, July 18, 2018

IC News release.jpg

Tynwald has approved the GDPR and LED Implementing Regulations 2018 (‘Regulations’) and as a result the new data protection legislation comprising of the Data Protection Act 2018, the Data Protection (Application of GDPR) Order 2018, the Data Protection (Application of LED) Order 2018, together with the Regulations will come into force on 1 August 2018.  At the same time, with the exception of a transitional provision for Part 3 (Notification by data controllers), the Data Protection Act 2002 will be repealed.

The new data protection legislation brings the Island into line with other jurisdictions that have implemented equivalent legislation to the EU GDPR which came into full force in EU Member States on 25 May 2018.

The legislation contains some transitional arrangements which provide further time for businesses and organisations to adapt to the new legislation. In particular, there are transitional arrangements until 1 February 2019 for registration renewals and until 25 May 2019 in respect of compliance with the new transparency and consent requirements. 

Every business and organisation that processes personal data needs to understand its new obligations, identify what personal data it processes and why, consider how long that data should be retained and what security measures are required to protect that data. This is the information that has to be provided to an individual under the transparency requirement and it is hoped that businesses and organisations will use the transitional period to communicate that information to individuals at an appropriate time in the coming year and not wait to the last minute. There is a small business guide on the website that provides more information about the new requirements.   

The Information Commissioner’s website has been updated to provide some specific guidance on the new data protection legislation and the transitional arrangements; this is in addition to guidance already published about the EU GDPR.  As yet, not all guidance has been updated; further updates will be published as soon as possible, as resources permit. In the interim, guidance published under the 2002 Act remains available from the document library.